Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

-- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

-- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act. http://www.sans.org/event/rocky-mountain-2013

-- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and So What? The Most Important Question in Information Security. Keynote Address: APT: It is Time to Act. http://www.sans.org/event/virginia-beach-2013

-- SANS London Summer 2013 London, UK July 9-July 16, 2013 4 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course. http://www.sans.org/event/london-summer-2013

-- SANS Mumbai 2013 Mumbai, India July 22-27, 2013 Our two most popular security courses that will get you started on your security career - SEC 401 Security Essentials Bootcamp Style and SEC504: Hacker Techniques, Exploits & Incident Handling. http://www.sans.org/event/mumbai-2013

TOP OF THE NEWS

US government agencies' efforts to train and recruit cybersecurity specialists have not produced the numbers of skilled professionals necessary to adequately protect the country's critical networks. Some programs are focusing on training students in STEM, but there also needs to be training that focuses on real-world experience instead of academics and policy issues. The US Department of Homeland Security (DHS) is introducing rigorous programs like the National Collegiate Cyber Defense Competition which culminates in a national finals round. Defense Department cybersecurity training is continuously changing to meet new technologies and the evolving cyberspace. What is critical is that those providing the training have strong technical skills that match the needs of defending the country's networks. -http://fcw.com/articles/2013/06/26/cybersecurity-training.aspx[Editor's Note (Assante): It is long past due for a deeper description of "technical skills", if we can't define them then we can't cultivate them through practice. There are new concepts and tools becoming available that places students into real world situations and presents the flexibility to try to defend and attack systems. We need to marry these new approaches with a stronger understanding of the skills and abilities that have more enduring impact! (Pescatore): I think we all know the difference between the typical college education (learn how to think) and our first hands on/on the job experience (learn how to do.) You need both but in information security the bigger lack is in the latter. ]

Former NSA Official Says Anti-Leak Technology Not Deployed as of Summer 2012 (June 27, 2013)

A former NSA cybersecurity official said that when he left the agency in the summer of 2012, there was no anti-leak technology on NSA networks. After Bradley Manning's alleged data theft came to light, the US Department of Defense rolled out a Host Based Security System (HBSS) to detect unauthorized activity on DOD networks. One of the system's features is to monitor removable data devices, like those allegedly used by Bradley and more recently by Edward Snowden. The official said that the HBSS was not installed on NSA networks as of last summer. He also commented on NSA Director General Keith Alexander's plan to have the NSA use a two-person rule for data access, saying that it could prove too cumbersome for specialists who need to do fast-paced work, and noted that "the best safeguard would be locking down the content at the source." -http://www.nextgov.com/cybersecurity/2013/06/nsa-networks-might-have-been-missing-anti-leak-technology/65708/

2) Digital Forensics Survey Results released during a July 18 webcast at 1 PM EDT. Register for the webcast and automatically sign up for a copy of the associated report. http://www.sans.org/info/133707

Hackers managed to gain access to the internal network at Opera Software and steal at least one digital certificate that has since been used to sign malware. The malware may have affected several thousand people who were running the Opera browser on Windows for a 26-minute period on June 19. -http://www.zdnet.com/opera-code-signing-certificate-abused-in-failed-breach-7000017361/-http://www.scmagazine.com//maker-of-opera-browser-said-its-network-was-hacked-to-steal-code-signing-certificate/article/300580/[Editor's Note (Ullrich): The key fact to understand here is that the Opera update server was compromised and used to distribute malware signed with a genuine Opera certificate. Opera's update check runs automatically without any user interaction, so users updating during the 6 minutes the malware was pushed are unlikely to be aware that they got infected. (Pescatore): In their blog post on this event, the bad news is that this caused a compromise of the Opera auto-update mechanism, subverting that to allow the attacker to install any malicious payload. The good news is that Opera says only impacts those who were using Opera between 01.00 and 01.36 UTC on June 19th. The really bad news is that the attack worked even though the stolen code signing certificate was expired. Opera says they depend on the operating system to check certificate validity, but "in the future it would certainly be possible to run our own checks on the certificate of downloaded autoupdates.." Please do!! And to the Certificate Authority/ Browser Forum recently formed Code Signing Working Group: please all agree to do so!! ]

A recently detected variant of Citadel malware can modify or replace web pages visited by users whose computers are infected. The malware displays a message telling the users that their accounts have been blocked because of suspicious activity. Users are then promoted to enter access credentials and credit card information to confirm that they are the legitimate account holders. The URL that appears in the browser bar is that of the real website. This variant of Citadel is targeting users in France, Spain, Italy, and Germany. -http://www.computerworld.com/s/article/9240407/Citadel_malware_targets_localized_brands_and_users?taxonomyId=17

Organizations are Not Doing Enough to Defend Themselves from Cybercrime (June 26, 2013)

According to the 2013 State of Cybercrime Survey from PwC, "Organizations are misjudging the severity of risks they face from a financial, reputational, and regulatory perspective." Current defenses against cyberattacks are not effective because executives either do not understand the scope and import of the threats, or they have stopped paying attention. Many leaders are unaware of who in their organizations is responsible for cybersecurity. They also "underestimate the capabilities of their attackers and the damage they can cause." The leaders also appear not to understand that, while using smart cloud services and other technological advances may help productivity, they introduce their own vulnerabilities. -http://www.csoonline.com/article/735511/why-business-is-losing-the-war-against-cybercrime?source=CSONLE_nlt_update_2013-06-27-http://www.pwc.com/us/en/press-releases/2013/cybercrime-threats-continue.jhtml[Editor's Note (Pescatore): I know we would all like to believe that they are "misjudging the severity of risks they face from a financial, reputational, and regulatory perspective" and certainly many are. But the vast majority actually really do weigh those risks, and find the costs of dealing with those risks from a business disruption and budget point of view are actually higher than their anticipated cost of the incident costs they see from *not* funding and deploying mitigation - and they are quite often right. Risk management is *not* making sure you have no cyber risks!! Risk management done right will often take risks when the alternative is worse than avoiding the risk - that is why many battles are won and many new business initiatives succeed, even though many fail. The real leaps forward are not made by convincing management about threat risk, they are made by showing them solutions to the risks that are less disruptive and less expensive to the business than enduring the breach. ]

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/